I have drone running on a k8s cluster. One of my pipelines is for a GAE application.
I've been fighting with secrets for a while. It's a bit of a mission to make my secrets available. What I ended up doing was loading my key file name and contents into drone as a pair of secrets, then in my pipeline doing this:
- echo $GOOGLE_KEY_CONTENTS > "/etc/google-keys/$${GOOGLE_KEY_NAME}.json"
If I ls
or cat
then the file is there and everything seems to be in order.
I then run:
- gcloud auth activate-service-account --key-file=/etc/google-keys/$${GOOGLE_KEY_NAME}.json
And the result is:
ERROR: gcloud crashed (ValueError): No key could be detected.
The key is there and looks fine to me
I also tried:
- gcloud info --run-diagnostics
And got the following output:
Network diagnostic detects and fixes local network connection issues.
Checking network connection...
done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.
If I try to authenticate with the same key file on my local machine it works just fine.
I've also managed to authenticate to gcloud from within a drone build when the drone instance was not running in k8s, and the secret key file was in a shared volume. (Unfortunately using a volume like this on k8s is impractical because drone wants me to make the secrets available to the base system of every single cluster node, and I'm not gooing to do that)
So either the k8s system is stopping gcloud from authenticating. Or I did something wrong when loading up my key. Or something else entirely.
The only way I could get it right was the following:
Note the conspicuous lack of k8s secrets and k8s volumes.
The reasons for this is that the drone agent might show up on any node (I suppose node labels could have been used if I insisted on putting the keys on just one node but I figure one node is as secure as the next in my cluster and the secrets are tiny...). So simply scp them to where they need to be.
The drone agent cant access any k8s mounted volumes. Only volumes from the base system. I suppose drone wasn't built for use with k8s
As described in this link, if you're using a service account to authenticate in applications running on Kubernetes, you need to use a secrets resource.
As described in step 5, this secret will be used as Environment Variable. The secret will be only accessible by the application where you have mounted the secret volume.